Hackers are working harder to make phishing and malware look legitimate

by

A Trend Micro report finds that spammers are using public and hosted cloud infrastructure to slip malicious emails past security defenses.

Trend Micro VP talks cloud security, IoT risks, and ransomware
In an interview at RSA 2020, Greg Young, the vice present of cybersecurity at Trend Micro, said that companies need to focus on cloud security posture management to make sure all cloud instances are configured correctly and securely.

Even though the overall volume of malware dropped in 2019, phishing and business email compromise (BEC) went up sharply, according to Trend Micro’s 2019 Cloud App Security Roundup. The company detected over a million instances of malware in 2018 and 960,000 in 2019. Trend Micro blocked nearly 400,000 attempted BEC attacks in 2018, which is 271% more than the previous year and 35% more credential phishing attempts than in 2018.

More than 11 million of the 12.7 million high-risk emails blocked in 2019 were phishing related, making up 89% of all blocked emails.
  
The report found that attackers are getting better at tricking the first layer of defense against BEC, phishing, and email-borne malware. Trend Micro described some of the more inventive approaches in the new report:

  • Phishing emails with an attachment that contained malicious remote templates loaded from remote servers
  • Spam emails containing malicious ISO attachments and using steganography to hide its tracks
  • A remote access tool campaign that used a service that allowed the creation of throwaway email addresses for the command and control server
  • Spam campaigns that use public and hosted cloud infrastructures to make attacks look more legitimate
  • Phishing kits that using innocent-looking text when a security professional tries to view source code in a browser

Also, the number of unknown phishing links in such attacks jumped from just 9% of the total to more than 44% in 2019, suggesting that scammers are registering new sites to avoid detection.

SEE: Cybersecurity: Let’s get tactical (free PDF)

Bad actors also are increasingly using HTTPS and targeting Office 365 administrator accounts, allowing them to hijack all connected accounts on the targeted domain and use them to send malware and launch BEC attacks. 

Targeting cloud-based SaaS platforms

For one organization with about 80,000 Office 365 users, Trend Micro Cloud App Security detected over 550,000 high-risk email threats after they passed through Microsoft’s native email security filter. That works out to about seven high-risk emails per employee, including more than 27,000 BEC attempts.

At a smaller company with 1,000 Gmail users, Trend Micro found 900 malicious emails in only a three-month period, almost one per employee.

Companies moving to SaaS-based applications may be opening themselves up to security risks if they rely on built-in security, said Wendy Moore, vice president, product marketing at Trend Micro.
 
“Businesses must take ownership of cloud protection and find a multi-layered third-party solution to enhance their platform’s native security functionality,” she said.

More sophisticated social engineering

The report found that hackers are no longer using fake invoices to trick businesspeople. Now they are pretending to be company employees asking partners to take action. In December, cybercriminals compromised the account of an employee at a Chinese venture capital firm. They spoofed the domain of an Israeli startup the Chinese firm had been working with and managed to steal $1 million in funding meant for the Israeli company.

Trend Micro shared an example of a BEC email caught by the Cloud App Security platform. The email supposedly from the CEO included phrases like “No one else except us must be informed at this time,” and “First, provide me immediately the available cashflow of our bank account,” and “As soon as I receive those information, I will share with you further instructions.”

Bad actors also are using new credential phishing techniques, including malicious voice mails and shared files. One phishing campaign in July 2019 used fake OneNote Online pages hosted on a SharePoint subdomain that linked to a fake Microsoft login page.

Improving security for SaaS platforms

Trend Micro recommends the following actions to improve cloud security:

  • Move from a single gateway to a multi-layered cloud app security solution
  • Consider sandbox malware analysis, document exploit detection, and file, email, and web reputation technologies to detect malware hidden in Office 365 and PDF documents
  • Enforce consistent data loss prevention policies across cloud email and collaboration apps
  • Look for a security platform that integrates with cloud platforms and preserves user and admin functions
  • Develop comprehensive end user training programs

The report’s findings were based on data generated by Trend Micro Cloud App Security, an API-based solution that protects a range of cloud-based applications and services, including Microsoft Office 365 Exchange Online, OneDrive for Business, SharePoint Online, Gmail, and Google Drive.

Also see

trend-micro-chart.png

An analysis of 12.7 million emails found a sharp increase in business email compromise attacks in 2019, up 271% over 2018.

Image: Trend Micro